Solved: I intalled new IOS you

Ivan Rezvantsev · ‎07-13-2016

Good day.

We have configured QoS in DMVPN with this guide:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-per-tunnel-qos.html

It is working well in test lab stand with cisco 881 or cisco 2901 as a hub and 881 and 2901 as a spokes with this ios:

c880data-universalk9-mz.152-4.M1.bin

c2900-universalk9-mz.SPA.152-4.M2.bin

But not with 4451-X as a hub.

In real world we have ISR4451-X/K9 (isr4400-universalk9.03.16.01a.S.155-3.S1a-ext.SPA.bi) as a hub and spokes 881 and 2901 as listed above. And I see something strange. hub tunnel interface:

interface Tunnel5
 description DMVPN_tunnels
 ip address 172.19.0.1 255.255.252.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 10101
 ip nhrp holdtime 300
ip tcp adjust-mss 1360
 delay 1000
 nhrp map group 10M-TESTING service-policy output 10M-TESTING
 nhrp map group 15M-TESTING service-policy output 15M-TESTING
 nhrp map group 20M-TESTING service-policy output 20M-TESTING
 nhrp map group 3M-TESTING service-policy output 3M-TESTING
 tunnel source Port-channel2
 tunnel mode gre multipoint
 tunnel key 100
 tunnel path-mtu-discovery
 tunnel protection ipsec profile dmvpn shared

show dmvpn detail shows that all correct:

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
 1 XXX.XXX.XXX.XXX 172.19.0.2 UP 05:41:18 D 172.19.0.2/32
NHRP group: 3M-TESTING
 Output QoS service-policy applied: 3M-TESTING
1 XXX.XXX.XXX.XXX 172.19.0.19 UP 1w1d D 172.19.0.19/32
NHRP group: 20M-TESTING
 Output QoS service-policy applied: 20M-TESTING
1 XXX.XXX.XXX.XXX 172.19.0.23 UP 1d02h D 172.19.0.23/32
NHRP group: 20M-TESTING
 Output QoS service-policy applied: 20M-TESTING
 1 XXX.XXX.XXX.XXX 172.19.0.24 UP 1w2d D 172.19.0.24/32
NHRP group: 15M-TESTING
 Output QoS service-policy applied: 15M-TESTING

but show nhrp group-map shows that there is no policy applied:

Interface: Tunnel5
 NHRP group: 10M-TESTING
 QoS policy: 10M-TESTING
 Transport endpoints using the qos policy: None

NHRP group: 15M-TESTING
 QoS policy: 15M-TESTING
 Transport endpoints using the qos policy: None

NHRP group: 20M-TESTING
 QoS policy: 20M-TESTING
 Transport endpoints using the qos policy: None

NHRP group: 3M-TESTING
 QoS policy: 3M-TESTING
 Transport endpoints using the qos policy: None

and show policy-map multipoint tunnel 5 shows nothing.

And on the traffic monitor I see that polices are not working.

For example spoke config from 881:

interface Tunnel5
 description DMVPN
 ip address 172.19.0.2 255.255.252.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication cisco
 ip nhrp group 3M-TESTING
 ip nhrp map multicast XXX.XXX.XXX.XXX
 ip nhrp map 172.19.0.1 XXX.XXX.XXX.XXX
 ip nhrp network-id 10101
 ip nhrp holdtime 300
 ip nhrp nhs 172.19.0.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 100
 tunnel path-mtu-discovery
 tunnel protection ipsec profile one shared

Any ideas why this happens? And what I need to do to make qos work with 4451-X as hub?

Philip D'Ath · ‎07-13-2016

You are a couple of releases out in your software train on the 4451. I would upgrade to a gold star release like 3.16.3S before investing too much time in figuring out the issue.

https://software.cisco.com/download/release.html?mdfid=284389362&softwareid=282046477&release=3.16.3S&relind=AVAILABLE&rellifecycle=ED&reltype=latest

View solution in original post

Philip D'Ath · ‎07-13-2016

You are a couple of releases out in your software train on the 4451. I would upgrade to a gold star release like 3.16.3S before investing too much time in figuring out the issue.

https://software.cisco.com/download/release.html?mdfid=284389362&softwareid=282046477&release=3.16.3S&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Philip D'Ath · ‎07-13-2016

Interestingly, the release notes make special mention of this guide for Tunnel QoS. Note this is a specific IOS-XE guide, as compared to the IOS guide you posted above.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-per-tunnel-qos.html

Ivan Rezvantsev · ‎07-14-2016

I intalled new IOS you recommended. But the problem not the IOS I saw in the guide:

The Per-Tunnel QoS for DMVPN feature does not support the following:

Per-Tunnel QoS for IPv4 or IPv6 or Multiprotocol Label Switching (MPLS) VPN over DMVPN with Layer 2 Tunnel Protocol (L2TP) transport.
Per-Tunnel QoS for IPv4 or IPv6 or MPLS VPN over DMVPN on a port-channel interface or aggregate port-channel interface.

It does not support port-channel source interface. And it is extremly bad.

Any ideas how to make qos in such DMVPN enviroment ? We have many voip and video which is poor quality because DMVPN cloud made on low quality Internet links.

Philip D'Ath · ‎07-14-2016

The only other option I can think of is to do to it radically differently. Use the tunnel "qos pre-classify" option, and then performance QoS on the physical interface that all the tunnels run out of. Note this will do it for the entire circuit then, and not per "connection".

Not as good, but much better than nothing.

QoS in DMVPN cloud doesn't work with ISR4451-X as a hub